Aliyun Dlf Manage Next
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for Alibaba Cloud DLF Next management, but it can use cloud credentials and guide mutating cloud API operations, so users should review actions carefully.
Install only if you intend to let the agent help manage Alibaba Cloud DLF Next resources. Use least-privilege credentials, confirm the account, region, and resource IDs, and require approval before any create, update, modify, set, or delete-style operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad Alibaba Cloud credentials are available, the agent may be able to inspect or change DLF Next resources in that account.
The skill is expected to use Alibaba Cloud credentials for DLF management, but these credentials can grant meaningful cloud-account authority depending on how they are scoped.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Use a least-privilege Alibaba Cloud credential, confirm the target account and region, and avoid exposing broad production credentials unless needed.
Incorrect parameters or unintended API choices could create, update, or reconfigure DLF Next resources.
The skill explicitly supports mutating Alibaba Cloud API operations. This matches the management purpose, but these actions can change real cloud resources.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Require explicit user confirmation for mutating calls, verify resource IDs and region before execution, and prefer describe/list calls before and after changes.
Users have less information for independently verifying the skill author or maintenance source.
The registry information does not provide an upstream source or homepage. This is not malicious by itself, but users have less provenance information before allowing cloud credential use.
Source: unknown Homepage: none
Review the included files before use and only provide Alibaba Cloud credentials if you trust the registry owner and skill contents.